_
[CLASSIFIED]

Digital Forensics & Incident Response — Workstation

OPERATOR: MATÉO BUSALLI | CLEARANCE: ACADEMIC RESEARCH | FRAMEWORK: LEGAL & ETHICAL OSINT
[!]

All investigations are conducted within the strict legal framework of French law and ethical OSINT practices. No unauthorized access or exploitation techniques are used. This work is performed for academic research and defensive security purposes only.

investigator@dfir-lab:~/cases$ ls -la --classified
drwxr-x--- investigator dfir-team 4096 /home/investigator/cases/
[DIR]
jan-2026-epitech-leak-analysis/
2026-01-22 ANALYSIS COMPLETE ACADEMIC RESEARCH
case-summary.sh
$ ./analyze --case epitech-leak-jan2026
[INFO] Loading case file...
[OK] Case loaded successfully
═══════════════════════════════════════════
CASE: Epitech Data Leak — January 2026
DATE: 2026-01-22 18:16 UTC+1
PLATFORM: Breachforums
THREAT ACTOR: telaviv
DATA VOLUME: 5.4 MB
EXPOSURE: 1422 views | 28 replies
RECURRENCE: 31 similar incidents from same actor
═══════════════════════════════════════════
[!] Compromised data: Name, Surname, Phone, Email

[>>] Attack Vector Analysis

Target
Azure AD B2B
epitechfr.onmicrosoft.com
Method
Microsoft Graph API
API Abuse / Token Theft
Extraction
Automated JSON Export
Directory.Read.All
Exfiltration
Breachforums
5.4 MB — 1422 views

[&&] Technical Analysis

EVIDENCE #EXT# Pattern — Guest Account Sample
sample_data.json 
// Anonymized sample — B2B Guest Account pattern
{
    "email": "alice.Martin_example.fr#EXT#@demo.onmicrosoft.com",
    "nom": "Alice Martin",
    "phone": "+33612345678"
}

// Key indicator: #EXT# suffix = Azure AD B2B Guest
// Host tenant: epitechfr.onmicrosoft.com
// Origin domain: @iseg.fr (external partner)
[API]

Suspected API Scopes

  • Directory.Read.All
  • User.Read.All
  • Contacts.Read
[CMD]

Possible Tooling

  • Connect-MgGraph (PowerShell)
  • Graph Explorer
  • Custom REST API Script
[LOG]

Forensic Indicators

  • Homogeneous JSON format
  • #EXT# pattern (Azure AD guests)
  • No parsing errors (automated)
[LVL]

Sophistication Level

MEDIUM — Clean automated extraction, not brute scraping

[??] Attack Hypotheses

H1
Malicious OAuth Application

Rogue app with admin/user consent granting excessive directory read permissions

HIGH
H2
Compromised Graph API Token

Stolen access token with Directory.Read.All and User.Read.All scopes

HIGH
H3
Automated Export Pipeline

PowerShell/REST script chaining Graph API calls for mass directory extraction

MEDIUM

[!!] Post-Incident Action Plan

0-24H — IMMEDIATE
Containment
  • Block suspected access in logs
  • Disable vulnerable public endpoints
  • Implement strict API rate limiting
  • Activate WAF anti-scraping rules
Notification
  • Notify CNIL within 72h (GDPR)
  • Prepare user communications
  • Inform legal team & DPO
  • Alert internal teams
Investigation
  • Extract web server logs
  • Identify exact attack vector
  • Establish complete timeline
  • Verify system integrity
1-7 DAYS — SHORT TERM
Anti-Scraping
  • Deploy CAPTCHA on sensitive pages
  • Implement honeypots for bots
  • Require authentication for profile access
  • Obfuscate public PII
Monitoring
  • Alert on anomalous request patterns
  • Advanced bot fingerprinting
  • Dark web forum monitoring
  • Force MFA on privileged accounts
User Protection
  • Individual notification to affected users
  • Recommend password changes
  • Phishing awareness alerts
  • Identity theft protection resources
1-4 WEEKS — MEDIUM TERM
Security Audit
  • External pentest engagement
  • Full vulnerability scan
  • Security architecture review
  • GDPR compliance verification
Governance
  • Security incident registry
  • Updated risk matrix
  • Incident response procedures
  • DevOps security training
Transformation
  • Zero Trust Architecture
  • Least Privilege Principle
  • End-to-end encryption
  • Privacy by Design

[ID] Threat Actor Profile

TA
telaviv Breachforums
31 Known Leaks
50 Reputation Score
Dec 2025 Account Created
[>]
"Protect your data." Has the CNIL actually done anything today? NO
— Accompanied by CNIL logo, indicating anti-regulatory stance